knox-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From lmc...@apache.org
Subject knox git commit: add credential provider to get idbroker creds from alias service
Date Wed, 04 Jul 2018 17:56:06 GMT
Repository: knox
Updated Branches:
  refs/heads/KNOX-1204 f315b6652 -> e4b75908d


add credential provider to get idbroker creds from alias service


Project: http://git-wip-us.apache.org/repos/asf/knox/repo
Commit: http://git-wip-us.apache.org/repos/asf/knox/commit/e4b75908
Tree: http://git-wip-us.apache.org/repos/asf/knox/tree/e4b75908
Diff: http://git-wip-us.apache.org/repos/asf/knox/diff/e4b75908

Branch: refs/heads/KNOX-1204
Commit: e4b75908d0a4d2529483203b243bb5dc9386534f
Parents: f315b66
Author: Larry McCay <lmccay@apache.org>
Authored: Wed Jul 4 13:55:21 2018 -0400
Committer: Larry McCay <lmccay@apache.org>
Committed: Wed Jul 4 13:55:21 2018 -0400

----------------------------------------------------------------------
 .../AbstractKnoxCloudCredentialsClient.java     | 18 ++++-
 .../idbroker/IdentityBrokerResource.java        | 18 ++++-
 .../idbroker/KnoxCloudCredentialsClient.java    | 11 +++
 .../KnoxCloudCredentialsClientManager.java      | 82 ++++++++++++++++++++
 .../KnoxCloudCredentiatlsClientManager.java     | 75 ------------------
 .../service/idbroker/aws/KnoxAWSClient.java     | 48 +++++++++++-
 .../service/knoxs3/KnoxS3ClientBuilder.java     |  4 +-
 7 files changed, 174 insertions(+), 82 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/knox/blob/e4b75908/gateway-service-idbroker/src/main/java/org/apache/knox/gateway/service/idbroker/AbstractKnoxCloudCredentialsClient.java
----------------------------------------------------------------------
diff --git a/gateway-service-idbroker/src/main/java/org/apache/knox/gateway/service/idbroker/AbstractKnoxCloudCredentialsClient.java
b/gateway-service-idbroker/src/main/java/org/apache/knox/gateway/service/idbroker/AbstractKnoxCloudCredentialsClient.java
index b150d28..af6ab01 100644
--- a/gateway-service-idbroker/src/main/java/org/apache/knox/gateway/service/idbroker/AbstractKnoxCloudCredentialsClient.java
+++ b/gateway-service-idbroker/src/main/java/org/apache/knox/gateway/service/idbroker/AbstractKnoxCloudCredentialsClient.java
@@ -17,13 +17,24 @@
  */
 package org.apache.knox.gateway.service.idbroker;
 
-public class AbstractKnoxCloudCredentialsClient {
+import java.util.Properties;
+
+import org.apache.knox.gateway.services.security.AliasService;
+
+public abstract class AbstractKnoxCloudCredentialsClient implements KnoxCloudCredentialsClient
{
   private KnoxCloudPolicyProvider policyProvider = null;
+  protected AliasService aliasService;
+  protected String topologyName;
 
   public AbstractKnoxCloudCredentialsClient() {
     super();
   }
   
+  @Override
+  public void init(Properties context) {
+    topologyName = context.getProperty("topology.name");
+  }
+
   public KnoxCloudPolicyProvider getPolicyProvider() {
     return policyProvider;
   }
@@ -31,4 +42,9 @@ public class AbstractKnoxCloudCredentialsClient {
   public void setPolicyProvider(KnoxCloudPolicyProvider policyProvider) {
     this.policyProvider = policyProvider;
   }
+
+  @Override
+  public void setAliasService(AliasService aliasService) {
+	this.aliasService = aliasService;  
+  }
 }
\ No newline at end of file

http://git-wip-us.apache.org/repos/asf/knox/blob/e4b75908/gateway-service-idbroker/src/main/java/org/apache/knox/gateway/service/idbroker/IdentityBrokerResource.java
----------------------------------------------------------------------
diff --git a/gateway-service-idbroker/src/main/java/org/apache/knox/gateway/service/idbroker/IdentityBrokerResource.java
b/gateway-service-idbroker/src/main/java/org/apache/knox/gateway/service/idbroker/IdentityBrokerResource.java
index 1167011..d457976 100644
--- a/gateway-service-idbroker/src/main/java/org/apache/knox/gateway/service/idbroker/IdentityBrokerResource.java
+++ b/gateway-service-idbroker/src/main/java/org/apache/knox/gateway/service/idbroker/IdentityBrokerResource.java
@@ -18,6 +18,8 @@
 package org.apache.knox.gateway.service.idbroker;
 
 import org.apache.knox.gateway.i18n.messages.MessagesFactory;
+import org.apache.knox.gateway.services.GatewayServices;
+import org.apache.knox.gateway.services.security.AliasService;
 
 import javax.annotation.PostConstruct;
 import javax.servlet.ServletContext;
@@ -47,7 +49,7 @@ public class IdentityBrokerResource {
   private static final String NO_CACHE = "must-revalidate,no-cache,no-store";
 
   private KnoxCloudPolicyProvider policyProvider = new KnoxPolicyProviderManager();
-  private KnoxCloudCredentialsClient credentialsClient = new KnoxCloudCredentiatlsClientManager();
+  private KnoxCloudCredentialsClient credentialsClient = new KnoxCloudCredentialsClientManager();
 
   @Context
   HttpServletRequest request;
@@ -61,12 +63,24 @@ public class IdentityBrokerResource {
   @PostConstruct
   public void init() {
     Properties props = getProperties();
+    String topologyName = (String) request.getServletContext().
+    		getAttribute(GatewayServices.GATEWAY_CLUSTER_ATTRIBUTE);
+    props.setProperty("topology.name", topologyName);
     policyProvider.init(props);
     credentialsClient.init(props);
     credentialsClient.setPolicyProvider(policyProvider);
+    AliasService aliasService = getAliasService();
+    credentialsClient.setAliasService(aliasService);
   }
 
-  private Properties getProperties() {
+  private AliasService getAliasService() {
+    GatewayServices services = (GatewayServices)request.getServletContext().
+            getAttribute(GatewayServices.GATEWAY_SERVICES_ATTRIBUTE);
+    AliasService as = services.getService(GatewayServices.ALIAS_SERVICE);
+	return as;
+}
+
+private Properties getProperties() {
     Properties props = new Properties();
     String paramName = null;
     Enumeration<String> e = context.getInitParameterNames();

http://git-wip-us.apache.org/repos/asf/knox/blob/e4b75908/gateway-service-idbroker/src/main/java/org/apache/knox/gateway/service/idbroker/KnoxCloudCredentialsClient.java
----------------------------------------------------------------------
diff --git a/gateway-service-idbroker/src/main/java/org/apache/knox/gateway/service/idbroker/KnoxCloudCredentialsClient.java
b/gateway-service-idbroker/src/main/java/org/apache/knox/gateway/service/idbroker/KnoxCloudCredentialsClient.java
index c494d04..80b4fd0 100644
--- a/gateway-service-idbroker/src/main/java/org/apache/knox/gateway/service/idbroker/KnoxCloudCredentialsClient.java
+++ b/gateway-service-idbroker/src/main/java/org/apache/knox/gateway/service/idbroker/KnoxCloudCredentialsClient.java
@@ -19,6 +19,8 @@ package org.apache.knox.gateway.service.idbroker;
 
 import java.util.Properties;
 
+import org.apache.knox.gateway.services.security.AliasService;
+
 public interface KnoxCloudCredentialsClient {
   /**
    * initialize client with the context from the topology
@@ -48,4 +50,13 @@ public interface KnoxCloudCredentialsClient {
    */
   String getName();
 
+  /**
+   * Set the AliasService implementation currently configured for the
+   * gateway, in order to locate the idbroker credentials for the given
+   * topology instance. Topology name is in the Properties provided to
+   * the init method.
+   * @param aliasService
+   */
+  void setAliasService(AliasService aliasService);
+
 }
\ No newline at end of file

http://git-wip-us.apache.org/repos/asf/knox/blob/e4b75908/gateway-service-idbroker/src/main/java/org/apache/knox/gateway/service/idbroker/KnoxCloudCredentialsClientManager.java
----------------------------------------------------------------------
diff --git a/gateway-service-idbroker/src/main/java/org/apache/knox/gateway/service/idbroker/KnoxCloudCredentialsClientManager.java
b/gateway-service-idbroker/src/main/java/org/apache/knox/gateway/service/idbroker/KnoxCloudCredentialsClientManager.java
new file mode 100644
index 0000000..cd08f69
--- /dev/null
+++ b/gateway-service-idbroker/src/main/java/org/apache/knox/gateway/service/idbroker/KnoxCloudCredentialsClientManager.java
@@ -0,0 +1,82 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.knox.gateway.service.idbroker;
+
+import java.util.Iterator;
+import java.util.Properties;
+import java.util.ServiceLoader;
+
+import org.apache.knox.gateway.services.security.AliasService;
+
+public class KnoxCloudCredentialsClientManager implements KnoxCloudCredentialsClient {
+  
+  private static final String CLOUD_CLIENT_PROVIDER = "cloud.client.provider";
+  private KnoxCloudCredentialsClient delegate = null;
+
+  @Override
+  public Object getCredentials() {
+    return delegate.getCredentials();
+  }
+
+  @Override
+  public KnoxCloudPolicyProvider getPolicyProvider() {
+    return delegate.getPolicyProvider();
+  }
+
+  @Override
+  public void setPolicyProvider(KnoxCloudPolicyProvider policyProvider) {
+    delegate.setPolicyProvider(policyProvider);
+  }
+
+  @Override
+  public String getName() {
+    return delegate.getName();
+  }
+
+  @Override
+  public void init(Properties context) {
+    try {
+      delegate = loadDelegate(context.getProperty(CLOUD_CLIENT_PROVIDER));
+      delegate.init(context);
+    }
+    catch (IdentityBrokerConfigException e) {
+      e.printStackTrace();
+    }
+  }
+  
+  @Override
+  public void setAliasService(AliasService aliasService) {
+	  delegate.setAliasService(aliasService);
+  }
+
+  public KnoxCloudCredentialsClient loadDelegate(String name) throws IdentityBrokerConfigException
{
+    KnoxCloudCredentialsClient delegate = null;
+    ServiceLoader<KnoxCloudCredentialsClient> loader = ServiceLoader.load(KnoxCloudCredentialsClient.class);
+    Iterator<KnoxCloudCredentialsClient> iterator = loader.iterator();
+    while(iterator.hasNext()) {
+      delegate = iterator.next();
+      if (name.equals(delegate.getName())) {
+        break;
+      }
+    }
+    if (delegate == null) {
+      throw new IdentityBrokerConfigException(name);
+    }
+    return delegate;
+  }
+}

http://git-wip-us.apache.org/repos/asf/knox/blob/e4b75908/gateway-service-idbroker/src/main/java/org/apache/knox/gateway/service/idbroker/KnoxCloudCredentiatlsClientManager.java
----------------------------------------------------------------------
diff --git a/gateway-service-idbroker/src/main/java/org/apache/knox/gateway/service/idbroker/KnoxCloudCredentiatlsClientManager.java
b/gateway-service-idbroker/src/main/java/org/apache/knox/gateway/service/idbroker/KnoxCloudCredentiatlsClientManager.java
deleted file mode 100644
index 6db5193..0000000
--- a/gateway-service-idbroker/src/main/java/org/apache/knox/gateway/service/idbroker/KnoxCloudCredentiatlsClientManager.java
+++ /dev/null
@@ -1,75 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements.  See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership.  The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License.  You may obtain a copy of the License at
- *
- *     http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.knox.gateway.service.idbroker;
-
-import java.util.Iterator;
-import java.util.Properties;
-import java.util.ServiceLoader;
-
-public class KnoxCloudCredentiatlsClientManager implements KnoxCloudCredentialsClient {
-  
-  private static final String CLOUD_CLIENT_PROVIDER = "cloud.client.provider";
-  private KnoxCloudCredentialsClient delegate = null;
-
-  @Override
-  public Object getCredentials() {
-    return delegate.getCredentials();
-  }
-
-  @Override
-  public KnoxCloudPolicyProvider getPolicyProvider() {
-    return delegate.getPolicyProvider();
-  }
-
-  @Override
-  public void setPolicyProvider(KnoxCloudPolicyProvider policyProvider) {
-    delegate.setPolicyProvider(policyProvider);
-  }
-
-  @Override
-  public String getName() {
-    return delegate.getName();
-  }
-
-  @Override
-  public void init(Properties context) {
-    try {
-      delegate = loadDelegate(context.getProperty(CLOUD_CLIENT_PROVIDER));
-    }
-    catch (IdentityBrokerConfigException e) {
-      e.printStackTrace();
-    }
-  }
-
-  public KnoxCloudCredentialsClient loadDelegate(String name) throws IdentityBrokerConfigException
{
-    KnoxCloudCredentialsClient delegate = null;
-    ServiceLoader<KnoxCloudCredentialsClient> loader = ServiceLoader.load(KnoxCloudCredentialsClient.class);
-    Iterator<KnoxCloudCredentialsClient> iterator = loader.iterator();
-    while(iterator.hasNext()) {
-      delegate = iterator.next();
-      if (name.equals(delegate.getName())) {
-        break;
-      }
-    }
-    if (delegate == null) {
-      throw new IdentityBrokerConfigException(name);
-    }
-    return delegate;
-  }
-  
-}

http://git-wip-us.apache.org/repos/asf/knox/blob/e4b75908/gateway-service-idbroker/src/main/java/org/apache/knox/gateway/service/idbroker/aws/KnoxAWSClient.java
----------------------------------------------------------------------
diff --git a/gateway-service-idbroker/src/main/java/org/apache/knox/gateway/service/idbroker/aws/KnoxAWSClient.java
b/gateway-service-idbroker/src/main/java/org/apache/knox/gateway/service/idbroker/aws/KnoxAWSClient.java
index bdc8f79..1294eb7 100644
--- a/gateway-service-idbroker/src/main/java/org/apache/knox/gateway/service/idbroker/aws/KnoxAWSClient.java
+++ b/gateway-service-idbroker/src/main/java/org/apache/knox/gateway/service/idbroker/aws/KnoxAWSClient.java
@@ -25,7 +25,10 @@ import javax.security.auth.Subject;
 import org.apache.knox.gateway.security.SubjectUtils;
 import org.apache.knox.gateway.service.idbroker.AbstractKnoxCloudCredentialsClient;
 import org.apache.knox.gateway.service.idbroker.KnoxCloudCredentialsClient;
+import org.apache.knox.gateway.services.security.AliasServiceException;
 
+import com.amazonaws.auth.AWSCredentials;
+import com.amazonaws.auth.AWSCredentialsProvider;
 import com.amazonaws.regions.Regions;
 import com.amazonaws.services.securitytoken.AWSSecurityTokenService;
 import com.amazonaws.services.securitytoken.AWSSecurityTokenServiceClientBuilder;
@@ -33,7 +36,8 @@ import com.amazonaws.services.securitytoken.model.GetFederationTokenRequest;
 import com.amazonaws.services.securitytoken.model.GetFederationTokenResult;
 
 public class KnoxAWSClient extends AbstractKnoxCloudCredentialsClient implements KnoxCloudCredentialsClient
{
-  /* (non-Javadoc)
+
+/* (non-Javadoc)
    * @see org.apache.knox.gateway.service.idbroker.KnoxCloudCredentialsClient#getCredentials()
    */
   @Override
@@ -48,7 +52,9 @@ public class KnoxAWSClient extends AbstractKnoxCloudCredentialsClient implements
 
   private GetFederationTokenResult getFederationTokenResult() {
     String policy;
-    AWSSecurityTokenService sts_client = AWSSecurityTokenServiceClientBuilder.standard().withRegion(Regions.US_EAST_1).build();
+    AWSSecurityTokenService sts_client = AWSSecurityTokenServiceClientBuilder.standard().
+    		withCredentials(new AliasServiceAWSCredentialsProvider()).
+    		withRegion(Regions.US_EAST_1).build();
     String username = null;
     Subject subject = Subject.getSubject(AccessController.getContext());
     username = getEffectiveUserName(subject);
@@ -73,5 +79,43 @@ public class KnoxAWSClient extends AbstractKnoxCloudCredentialsClient implements
 
   @Override
   public void init(Properties context) {
+    super.init(context);
   }
+
+  private class AliasServiceAWSCredentialsProvider
+      implements AWSCredentialsProvider {
+	@Override
+	public AWSCredentials getCredentials() {
+	  return new AWSCredentials() {
+        @Override
+        public String getAWSAccessKeyId() {
+          try {
+			return new String(aliasService.
+			    getPasswordFromAliasForCluster(topologyName, "aws.credentials.key"));
+		  } catch (AliasServiceException e) {
+			// TODO Auto-generated catch block
+			e.printStackTrace();
+		  }
+          return null;
+		}
+		@Override
+		public String getAWSSecretKey() {
+          try {
+			return new String(aliasService.
+			    getPasswordFromAliasForCluster(topologyName, "aws.credentials.secret"));
+		  } catch (AliasServiceException e) {
+			// TODO Auto-generated catch block
+			e.printStackTrace();
+		  }
+          return null;
+		}
+	  };
+	}
+
+	@Override
+	public void refresh() {		
+	}
+	  
+  }
+
 }

http://git-wip-us.apache.org/repos/asf/knox/blob/e4b75908/gateway-service-knoxs3/src/main/java/org/apache/knox/gateway/service/knoxs3/KnoxS3ClientBuilder.java
----------------------------------------------------------------------
diff --git a/gateway-service-knoxs3/src/main/java/org/apache/knox/gateway/service/knoxs3/KnoxS3ClientBuilder.java
b/gateway-service-knoxs3/src/main/java/org/apache/knox/gateway/service/knoxs3/KnoxS3ClientBuilder.java
index 62730f9..1f91b72 100644
--- a/gateway-service-knoxs3/src/main/java/org/apache/knox/gateway/service/knoxs3/KnoxS3ClientBuilder.java
+++ b/gateway-service-knoxs3/src/main/java/org/apache/knox/gateway/service/knoxs3/KnoxS3ClientBuilder.java
@@ -33,7 +33,7 @@ import org.apache.knox.gateway.security.ImpersonatedPrincipal;
 import org.apache.knox.gateway.security.PrimaryPrincipal;
 import org.apache.knox.gateway.security.SubjectUtils;
 import org.apache.knox.gateway.service.idbroker.KnoxCloudCredentialsClient;
-import org.apache.knox.gateway.service.idbroker.KnoxCloudCredentiatlsClientManager;
+import org.apache.knox.gateway.service.idbroker.KnoxCloudCredentialsClientManager;
 import org.apache.knox.gateway.service.idbroker.KnoxCloudPolicyProvider;
 import org.apache.knox.gateway.service.idbroker.KnoxPolicyProviderManager;
 
@@ -52,7 +52,7 @@ import com.amazonaws.services.securitytoken.model.GetFederationTokenResult;
 
 public class KnoxS3ClientBuilder {
   private KnoxCloudPolicyProvider policyProvider = new KnoxPolicyProviderManager();
-  private KnoxCloudCredentialsClient credentialsClient = new KnoxCloudCredentiatlsClientManager();
+  private KnoxCloudCredentialsClient credentialsClient = new KnoxCloudCredentialsClientManager();
 
   private Properties props = null;
 


Mime
View raw message